SSAE 22 was issued a couple years ago, back in December 2020, to supersede AT-C section 210 with three primary changes, apply to both SOC 1 and SOC 2:

• Clarification on Review Procedures: SSAE 22 provides explicit guidelines on the types of procedures that may be performed in a review engagement. This includes analytical procedures, inspection, observation, confirmation, recalculation, and reperformance.
• Enhanced Reporting Requirements: The standard mandates an informative summary of the work performed to support the practitioner’s conclusion. While the AICPA sets a minimum bar for this, firms have the flexibility to provide more detailed insights.
• Permission for Adverse Conclusions: If material and pervasive misstatements are identified, practitioners are now required to express an adverse conclusion.

Description of the procedures a practitioner may perform in a review engagement:

The practitioner is now required to identify areas which a material misstatement could arise, and design and perform procedures to obtain reasonable / limited assurance to support the overall report conclusion, even if it is not a standard analytical test. Some additional permitted testing procedures include:

• Analytical procedures
• Inspection
• Observation
• Confirmation
• Recalculation
• Reperformance

Implications for Service Organizations

1. Increased Transparency: The enhanced reporting requirements mean that service organizations can expect more detailed insights into the audit process, which can aid in internal evaluations and risk assessments.
2. Risk of Adverse Conclusions: The new standard allows for the expression of adverse conclusions, making it crucial for service organizations to ensure compliance and accuracy in their operations.
3. Limited Direct Impact: Most of the changes are auditor-centric and will not significantly alter the audit experience for service organizations unless findings are uncovered.

What does it all mean? Does it matter?

For the majority of companies undergoing an audit, the impact of SSAE 22 is minimal. These changes are primarily procedural adjustments that auditors need to make. However, they do set a new standard for transparency and accountability, which can indirectly affect service organizations, especially those with identified audit findings.

By understanding these changes, service organizations can better prepare for audits and align their internal controls and compliance measures accordingly.